The Court of Appeal in WM Morrison Supermarkets plc v Various Claimants has upheld the High Court decision that an employer was vicariously liable for the actions of a rogue employee who disclosed the personal information of 100,000 employees on the internet.
Mr Skelton was employed by Morrison Supermarkets as a senior IT internal auditor. In July 2013, Skelton received a formal warning following a disciplinary hearing for an incident involving unauthorised private use of Morrison’s postal facilities which caused him to hold a grudge against Morrison’s. In November 2013 Skelton was tasked with providing KPMG with confidential payroll data of just under 100,000 Morrison’s employees for external auditing purposes. Skelton was provided with an encrypted USB stick containing all of the information, which he downloaded onto his work computer and then copied to another USB stick which was given to KPMG. At a later date, the data on Skelton’s computer was then copied by him onto another personal USB stick. In January 2014 Skelton released the personal data on a file sharing internet site under the guise of a colleague and circulated the links on other websites. A few months later he sent the same data to a series of newspapers.
Skelton was investigated and subsequently arrested, charged and convicted of fraud under the Computer Misuse Act 1990 and under Section 55 of the Data Protection Act 1998. Just over 5,500 employees of Morrison brought a group civil claim against Morrison for compensation arguing that it had breached its duty under Section 4 of the DPA 1998. Claims were also brought for misuse of private information and breach of confidence. The claimants argued that Morrison was both primarily liable for its own acts and omissions and vicariously liable for the actions of Skelton.
The High Court dismissed the claims against Morrison for primary liability under the Data Protection Act, for breach of confidence and misuse of personal information as Morrison did not directly misuse, authorise or carelessly permit the misuse of the personal information and in respect of the personal data, it was not the data controller of the data at the point it was unlawfully disclosed (Skelton was). The High Court did, however, find that Morrison was vicariously liable for the actions of Skelton. Adopting the approach in the Supreme Court decision in Mohamud v William Morrison Supermarkets plc, the High Court held that there was a sufficient connection between Skelton’s actions and his employment, commenting that there was a seamless and continuous sequence of events that linked his employment to his disclosure. Skelton had stored the information on his personal computer and disclosed the information on a non-working day, but these factors were not sufficient enough to disengage the conduct from his employment. Morrison appealed the decision of the High Court.
The Court of Appeal upheld the decision of the High Court. The CA stated that the test in Mohamud requires a consideration of two questions: whether Skelton’s actions fell within the field of activities entrusted to him by Morrison; and whether there was sufficient connection between the employment and his wrongful conduct. The CA reaffirmed the comments of the High Court on these two questions, noting that Skelton was deliberately entrusted with the payroll data and sending the data to third parties was within the field of activities assigned to him. Morrison have indicated that they will appeal the Court of Appeal’s decision.
Hannah Pryce comments:
“This long awaited judgment of the Court of Appeal may seem harsh to employers but should not be unexpected in light of the earlier decision of the Supreme Court in Mohamud and the wide approach of the courts to the question of vicarious liability in the context of employment. It shows in particular that even a wholly innocent employer (as Morrison was in this case) can still be held liable for the actions of a rogue employee. Further, and in light of the GDPR, employers will want to take particular care when entrusting employees with the handling of particularly sensitive personal data, given that even if they have acted properly under the DPA and the GDPR, they can still find themselves vicariously liable for compensation claims as a result of an employee’s criminal misuse of that personal data”